EPA's Web security still vulnerable to hackers

Despite efforts to shore up computer security, the Environmental Protection Agency is still an open target for hackers, according to congressional
investigators.

January 2, 20024:43 PM PST

Despite efforts to shore up computer security, the
Environmental Protection Agency is still an open target for hackers,
according to congressional investigators.

A report released today by the General Accounting Office, the
investigative arm of Congress, found that the agency's system continues to be "riddled with
security weaknesses" that could allow hackers to tamper with data, view
sensitive information or attack other agencies using the EPA system.

In the report, investigators said the EPA failed to notice government
security experts rummaging through its computers. During their tests,
investigators were able to guess passwords, hack into the computer network,
watch unsuspecting people type their passwords, and move throughout
the network unimpeded.

In response to the report, the EPA said in a statement that it "will continue its efforts into the future to improve computer security, to take into account emerging technologies."

"The administration is fully committed to the public's right-to-know, has consistently expanded and defended that right," the EPA's statement said. "Computer issues should not be used in an effort to restrict vital
information."

The GAO investigated the agency at the request of House Commerce Committee
Chairman Tom Bliley, R-Va., who in August 1999 asked for an audit of the
EPA's system for his review of the computer security policies and programs
of some federal agencies under the committee's jurisdiction.

Investigators found widespread flaws that
rendered the EPA's information security program ineffective,
according to the report.

"The GAO report, coupled with the committee's other recent oversight in this
area, shows that despite the tough rhetoric, the Clinton-Gore
administration's cybersecurity policy amounts to little more than paper
pushing," Bliley said in a statement.

After a preliminary review last February found "serious and pervasive
problems" in the EPA's security system, Bliley said he asked the agency to
take down its computer systems and overhaul its network security. The EPA
complied by shuttering its Internet link temporarily to make repairs,
according to the GAO report.

Since the system was restored, the agency has been beefing up its computer
security measures. Investigators, however, say there is still work to be
done.

"It is unfortunate that years of gross mismanagement at the agency have
left these sensitive systems and data at such serious risk for so long,"
Bliley said in a statement. "But it is even more unfortunate that it took
this committee's oversight and public pressure to motivate the agency to
undertake responsible steps to ensure its computer systems provide adequate
protection for sensitive agency data."

In the report, investigators also expressed concern regarding weaknesses
found during their current assessment that had been detailed for the agency
in 1997 in a report from the EPA's own inspector general.

The GAO performed its audit at the EPA's headquarters and the National Computer
Center from September 1999 through February 2000.

In late July, Bliley asked the GAO for a similar audit of the Commerce
Department's cybersecurity program. He also recently launched a review of
the Food and Drug Administration's information management policies and
practices, requesting records detailing the agency's computer security
practices and any hacker attacks against it.